[aur-dev] [PATCH] Fix for information leak in login logic.
--- web/lang/en/index_po.inc | 7 +++---- web/lib/aur.inc | 6 ++---- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/web/lang/en/index_po.inc b/web/lang/en/index_po.inc index 66a7834..bdeb87f 100644 --- a/web/lang/en/index_po.inc +++ b/web/lang/en/index_po.inc @@ -35,16 +35,12 @@ $_t["en"]["For now, it's just a place holder."] = "For now, it's just a place ho $_t["en"]["It's more important to get the login functionality finished."] = "It's more important to get the login functionality finished."; -$_t["en"]["Error looking up username, %s."] = "Error looking up username, %s."; - $_t["en"]["Login"] = "Login"; $_t["en"]["Though we can't vouch for their contents, we provide a %hlist of user repositories%h for your convenience."] = "Though we can't vouch for their contents, we provide a %hlist of user repositories%h for your convenience."; $_t["en"]["If you have feedback about the AUR, please leave it in %hFlyspray%h."] = "If you have feedback about the AUR, please leave it in %hFlyspray%h."; -$_t["en"]["Incorrect password for username, %s."] = "Incorrect password for username, %s."; - $_t["en"]["Latest Packages:"] = "Latest Packages:"; $_t["en"]["Discussion about the AUR takes place on the %sTUR Users List%s."] = "Discussion about the AUR takes place on the %sTUR Users List%s."; @@ -94,6 +90,9 @@ $_t["en"]["The most popular packages will be provided as binary packages in [com $_t["en"]["Packages added or updated in the past 7 days"] = "Packages added or updated in the past 7 days"; $_t["en"]["Out-of-date"] = "Out-of-date"; + $_t["en"]["DISCLAIMER"] = "DISCLAIMER: Unsupported PKGBUILDs are user produced content, by downloading them you agree to do so at your own risk."; +$_t["en"]["Login failure: Bad user or pass."] = "Login failure: Bad user or pass."; + ?> diff --git a/web/lib/aur.inc b/web/lib/aur.inc index 5dec6e3..5cfb3c8 100644 --- a/web/lib/aur.inc +++ b/web/lib/aur.inc @@ -363,13 +363,11 @@ function html_header($title="") { $q.= "AND Passwd = '" . mysql_real_escape_string($_POST["pass"]) . "'"; $result = db_query($q, $dbh); if (!$result) { - $login_error = __("Error looking up username, %s.", - array(htmlspecialchars($_POST["user"]))); + $login_error = __("Login failure: Bad user or pass."); } else { $row = mysql_fetch_row($result); if (empty($row)) { - $login_error = __("Incorrect password for username, %s.", - array(htmlspecialchars($_POST["user"]))); + $login_error = __("Login failure: Bad user or pass."); } elseif ($row[1]) { $login_error = __("Your account has been suspended."); } -- 1.5.3.7
Hey take a look at my last patch. This is fixed as well, login is moved into it's own function and the login form template is used. I'll ping the thread so you can see it. On Sun, Feb 17, 2008 at 3:38 PM, eliott <eliott@cactuswax.net> wrote:
--- web/lang/en/index_po.inc | 7 +++---- web/lib/aur.inc | 6 ++---- 2 files changed, 5 insertions(+), 8 deletions(-)
diff --git a/web/lang/en/index_po.inc b/web/lang/en/index_po.inc index 66a7834..bdeb87f 100644 --- a/web/lang/en/index_po.inc +++ b/web/lang/en/index_po.inc @@ -35,16 +35,12 @@ $_t["en"]["For now, it's just a place holder."] = "For now, it's just a place ho
$_t["en"]["It's more important to get the login functionality finished."] = "It's more important to get the login functionality finished.";
-$_t["en"]["Error looking up username, %s."] = "Error looking up username, %s."; - $_t["en"]["Login"] = "Login";
$_t["en"]["Though we can't vouch for their contents, we provide a %hlist of user repositories%h for your convenience."] = "Though we can't vouch for their contents, we provide a %hlist of user repositories%h for your convenience.";
$_t["en"]["If you have feedback about the AUR, please leave it in %hFlyspray%h."] = "If you have feedback about the AUR, please leave it in %hFlyspray%h.";
-$_t["en"]["Incorrect password for username, %s."] = "Incorrect password for username, %s."; - $_t["en"]["Latest Packages:"] = "Latest Packages:";
$_t["en"]["Discussion about the AUR takes place on the %sTUR Users List%s."] = "Discussion about the AUR takes place on the %sTUR Users List%s."; @@ -94,6 +90,9 @@ $_t["en"]["The most popular packages will be provided as binary packages in [com $_t["en"]["Packages added or updated in the past 7 days"] = "Packages added or updated in the past 7 days";
$_t["en"]["Out-of-date"] = "Out-of-date"; + $_t["en"]["DISCLAIMER"] = "DISCLAIMER: Unsupported PKGBUILDs are user produced content, by downloading them you agree to do so at your own risk.";
+$_t["en"]["Login failure: Bad user or pass."] = "Login failure: Bad user or pass."; + ?> diff --git a/web/lib/aur.inc b/web/lib/aur.inc index 5dec6e3..5cfb3c8 100644 --- a/web/lib/aur.inc +++ b/web/lib/aur.inc @@ -363,13 +363,11 @@ function html_header($title="") { $q.= "AND Passwd = '" . mysql_real_escape_string($_POST["pass"]) . "'"; $result = db_query($q, $dbh); if (!$result) { - $login_error = __("Error looking up username, %s.", - array(htmlspecialchars($_POST["user"]))); + $login_error = __("Login failure: Bad user or pass."); } else { $row = mysql_fetch_row($result); if (empty($row)) { - $login_error = __("Incorrect password for username, %s.", - array(htmlspecialchars($_POST["user"]))); + $login_error = __("Login failure: Bad user or pass."); } elseif ($row[1]) { $login_error = __("Your account has been suspended."); } -- 1.5.3.7
I was just working off the current 'testing' branch on projects.archlinux.org for the AUR. On 2/17/08, Loui <louipc.ist@gmail.com> wrote:
Hey take a look at my last patch. This is fixed as well, login is moved into it's own function and the login form template is used. I'll ping the thread so you can see it.
On Sun, Feb 17, 2008 at 3:38 PM, eliott <eliott@cactuswax.net> wrote:
--- web/lang/en/index_po.inc | 7 +++---- web/lib/aur.inc | 6 ++---- 2 files changed, 5 insertions(+), 8 deletions(-)
diff --git a/web/lang/en/index_po.inc b/web/lang/en/index_po.inc index 66a7834..bdeb87f 100644 --- a/web/lang/en/index_po.inc +++ b/web/lang/en/index_po.inc @@ -35,16 +35,12 @@ $_t["en"]["For now, it's just a place holder."] = "For now, it's just a place ho
$_t["en"]["It's more important to get the login functionality finished."] = "It's more important to get the login functionality finished.";
-$_t["en"]["Error looking up username, %s."] = "Error looking up username, %s."; - $_t["en"]["Login"] = "Login";
$_t["en"]["Though we can't vouch for their contents, we provide a %hlist of user repositories%h for your convenience."] = "Though we can't vouch for their contents, we provide a %hlist of user repositories%h for your convenience.";
$_t["en"]["If you have feedback about the AUR, please leave it in %hFlyspray%h."] = "If you have feedback about the AUR, please leave it in %hFlyspray%h.";
-$_t["en"]["Incorrect password for username, %s."] = "Incorrect password for username, %s."; - $_t["en"]["Latest Packages:"] = "Latest Packages:";
$_t["en"]["Discussion about the AUR takes place on the %sTUR Users List%s."] = "Discussion about the AUR takes place on the %sTUR Users List%s."; @@ -94,6 +90,9 @@ $_t["en"]["The most popular packages will be provided as binary packages in [com $_t["en"]["Packages added or updated in the past 7 days"] = "Packages added or updated in the past 7 days";
$_t["en"]["Out-of-date"] = "Out-of-date"; + $_t["en"]["DISCLAIMER"] = "DISCLAIMER: Unsupported PKGBUILDs are user produced content, by downloading them you agree to do so at your own risk.";
+$_t["en"]["Login failure: Bad user or pass."] = "Login failure: Bad user or pass."; + ?> diff --git a/web/lib/aur.inc b/web/lib/aur.inc index 5dec6e3..5cfb3c8 100644 --- a/web/lib/aur.inc +++ b/web/lib/aur.inc @@ -363,13 +363,11 @@ function html_header($title="") { $q.= "AND Passwd = '" . mysql_real_escape_string($_POST["pass"]) . "'"; $result = db_query($q, $dbh); if (!$result) { - $login_error = __("Error looking up username, %s.", - array(htmlspecialchars($_POST["user"]))); + $login_error = __("Login failure: Bad user or pass."); } else { $row = mysql_fetch_row($result); if (empty($row)) { - $login_error = __("Incorrect password for username, %s.", - array(htmlspecialchars($_POST["user"]))); + $login_error = __("Login failure: Bad user or pass."); } elseif ($row[1]) { $login_error = __("Your account has been suspended."); } -- 1.5.3.7
Yep that's what my patches are based off of. On Sun, Feb 17, 2008 at 5:42 PM, eliott <eliott@cactuswax.net> wrote:
I was just working off the current 'testing' branch on projects.archlinux.org for the AUR.
On 2/17/08, Loui <louipc.ist@gmail.com> wrote:
Hey take a look at my last patch. This is fixed as well, login is moved into it's own function and the login form template is used. I'll ping the thread so you can see it.
On Sun, Feb 17, 2008 at 3:38 PM, eliott <eliott@cactuswax.net> wrote:
--- web/lang/en/index_po.inc | 7 +++---- web/lib/aur.inc | 6 ++---- 2 files changed, 5 insertions(+), 8 deletions(-)
diff --git a/web/lang/en/index_po.inc b/web/lang/en/index_po.inc index 66a7834..bdeb87f 100644 --- a/web/lang/en/index_po.inc +++ b/web/lang/en/index_po.inc @@ -35,16 +35,12 @@ $_t["en"]["For now, it's just a place holder."] = "For now, it's just a place ho
$_t["en"]["It's more important to get the login functionality finished."] = "It's more important to get the login functionality finished.";
-$_t["en"]["Error looking up username, %s."] = "Error looking up username, %s."; - $_t["en"]["Login"] = "Login";
$_t["en"]["Though we can't vouch for their contents, we provide a %hlist of user repositories%h for your convenience."] = "Though we can't vouch for their contents, we provide a %hlist of user repositories%h for your convenience.";
$_t["en"]["If you have feedback about the AUR, please leave it in %hFlyspray%h."] = "If you have feedback about the AUR, please leave it in %hFlyspray%h.";
-$_t["en"]["Incorrect password for username, %s."] = "Incorrect password for username, %s."; - $_t["en"]["Latest Packages:"] = "Latest Packages:";
$_t["en"]["Discussion about the AUR takes place on the %sTUR Users List%s."] = "Discussion about the AUR takes place on the %sTUR Users List%s."; @@ -94,6 +90,9 @@ $_t["en"]["The most popular packages will be provided as binary packages in [com $_t["en"]["Packages added or updated in the past 7 days"] = "Packages added or updated in the past 7 days";
$_t["en"]["Out-of-date"] = "Out-of-date"; + $_t["en"]["DISCLAIMER"] = "DISCLAIMER: Unsupported PKGBUILDs are user produced content, by downloading them you agree to do so at your own risk.";
+$_t["en"]["Login failure: Bad user or pass."] = "Login failure: Bad user or pass."; + ?> diff --git a/web/lib/aur.inc b/web/lib/aur.inc index 5dec6e3..5cfb3c8 100644 --- a/web/lib/aur.inc +++ b/web/lib/aur.inc @@ -363,13 +363,11 @@ function html_header($title="") { $q.= "AND Passwd = '" . mysql_real_escape_string($_POST["pass"]) . "'"; $result = db_query($q, $dbh); if (!$result) { - $login_error = __("Error looking up username, %s.", - array(htmlspecialchars($_POST["user"]))); + $login_error = __("Login failure: Bad user or pass."); } else { $row = mysql_fetch_row($result); if (empty($row)) { - $login_error = __("Incorrect password for username, %s.", - array(htmlspecialchars($_POST["user"]))); + $login_error = __("Login failure: Bad user or pass."); } elseif ($row[1]) { $login_error = __("Your account has been suspended."); } -- 1.5.3.7
On Sun, Feb 17, 2008 at 12:38:41PM -0800, eliott wrote:
--- web/lang/en/index_po.inc | 7 +++---- web/lib/aur.inc | 6 ++---- 2 files changed, 5 insertions(+), 8 deletions(-)
Applied. I'm going to leave Loui's functionalization for the next release since it needs more thourough looking at/testing and I'd like to release now/soon. (read: I already merged loui's patch in my working code, but won't be including it in tonight's release) -S
On Mon, Feb 18, 2008 at 8:19 PM, Simo Leone <simo@archlinux.org> wrote:
On Sun, Feb 17, 2008 at 12:38:41PM -0800, eliott wrote:
--- web/lang/en/index_po.inc | 7 +++---- web/lib/aur.inc | 6 ++---- 2 files changed, 5 insertions(+), 8 deletions(-)
Applied. I'm going to leave Loui's functionalization for the next release since it needs more thourough looking at/testing and I'd like to release now/soon. (read: I already merged loui's patch in my working code, but won't be including it in tonight's release)
-S
My patches and Eliott's info leak patch will cause a conflict, so you'll need to revert Eliott's before you apply mine. I'd recommend that soon after the release so there's a minimal chance of further conflict. Here's what she looks like after: http://git.louipc.dontexist.org/?p=aur;a=summary
On Mon, Feb 18, 2008 at 10:54:25PM -0500, Loui wrote:
My patches and Eliott's info leak patch will cause a conflict, so you'll need to revert Eliott's before you apply mine. I'd recommend that soon after the release so there's a minimal chance of further conflict.
Here's what she looks like after: http://git.louipc.dontexist.org/?p=aur;a=summary
Ok pushed to my working branch with conflict resolved. There is, however, one minor issue. We have translated strings for all the login errors already, however we dont use __() on them right now in the template. We could just do something like __($login_error), but this makes it impossible for the translation string scanner to look for the strings that need translation. Ideas? -S
On 2/20/08, Simo Leone <simo@archlinux.org> wrote:
We have translated strings for all the login errors already, however we dont use __() on them right now in the template. We could just do something like __($login_error), but this makes it impossible for the translation string scanner to look for the strings that need translation. Ideas?
maybe add some kind of comment directive to scan ## trans: Translate this fool! $login_error = "Translate this fool!"; I don't know what other apps do for this type of thing. This is just a crazy idea I just came up with.
participants (3)
-
eliott
-
Loui
-
Simo Leone